cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
1620
Views
15
Helpful
11
Replies

Hospital 9800-40 HA upgrade to 17.9.3

lcaruso
Level 6
Level 6

Hi all, I need to upgrade a pair of 9800-40s in HA from 17.6.4 to 17.9.3 at a local hospital. While I have done an staging upgrade on the 9800-40s before production, I need a flawless upgrade plan for the hospital to minimize or eliminate downtime. Appreciate all comments from practitioners out there and especially those which plan ahead to avoid issues. It is a small network with fewer than 100 9120 access points. Thanks in advance. 

 

3 Accepted Solutions

Accepted Solutions

Leo Laohoo
Hall of Fame
Hall of Fame

If the controllers are in a Mobility Group, try the automated "Hitless Upgrade". 

IMPORTANT

The most important part of this feature is adequate WiFi coverage and not one in a "shoe-string" deployment.  If the hospital does not have redundant AP deployment (minimum 2 per area), there will be outages.  

Here are the steps: 

  1. Upgrade the secondary controller first to 17.9.3 using the normal method.  I am going to presume the secondary controller have ZERO APs in them.  
  2. After the secondary controller has successfully upgraded, on the Primary Controller, go to Administration > Software Management.  
  3. Under Hitless Software Upgrade (N + 1 Upgrade), tick Enable Hitless Upgrade.
  4. Pick a factor of 5%, 15% or 25%. 
  5. Enable Client Steering.  
  6. Hit Save Configuration & Activate.  

 

View solution in original post

marce1000
VIP
VIP

 

                                            >...and especially those which plan ahead to avoid issues.
 - Adding to other reply : save the running-config to an external repository/server too ; in case you need disaster recovery (to be safe)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

View solution in original post

Rich R
VIP
VIP

a pair of 9800-40s in HA
Is that N+1 HA or HA-SSO?
If N+1 then Leo's answer applies.
If SSO then your main option is ISSU but many of us have found ISSU to be not very reliable and often goes wrong, so before considering that you should test it thoroughly and definitely have TAC on standby for if/when it goes wrong.
As I've said on a few previous posts we've never considered it reliable enough to use in production (too many problems using it in lab testing) so we just take the hit for a few minutes for a full reload.

As I've recommended on a few recent posts - 17.9.3 already has some required SMU and APSP so if you deploy 17.9.3 then you still need to install those after the upgrade (more reloads required).  Whereas 17.9.4 has been out for just over 1 month now and likely to become TAC preferred version very soon so I would recommend using that now instead of 17.9.3 to avoid having to install those SMU and APSP, which will increase the total downtime for your change.

View solution in original post

11 Replies 11

Leo Laohoo
Hall of Fame
Hall of Fame

If the controllers are in a Mobility Group, try the automated "Hitless Upgrade". 

IMPORTANT

The most important part of this feature is adequate WiFi coverage and not one in a "shoe-string" deployment.  If the hospital does not have redundant AP deployment (minimum 2 per area), there will be outages.  

Here are the steps: 

  1. Upgrade the secondary controller first to 17.9.3 using the normal method.  I am going to presume the secondary controller have ZERO APs in them.  
  2. After the secondary controller has successfully upgraded, on the Primary Controller, go to Administration > Software Management.  
  3. Under Hitless Software Upgrade (N + 1 Upgrade), tick Enable Hitless Upgrade.
  4. Pick a factor of 5%, 15% or 25%. 
  5. Enable Client Steering.  
  6. Hit Save Configuration & Activate.  

 

marce1000
VIP
VIP

 

                                            >...and especially those which plan ahead to avoid issues.
 - Adding to other reply : save the running-config to an external repository/server too ; in case you need disaster recovery (to be safe)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

eglinsky2012
Spotlight
Spotlight

You may also want to open a "standby" TAC case for the time of the upgrade to save some time opening the case if there are issues with the upgrade. I haven't done this yet personally, but it was suggested by my sales engineer. The Internet has mixed opinions on doing this, which you could research, but I'd be interested in hearing what the experts here think about it.

Rich R
VIP
VIP

a pair of 9800-40s in HA
Is that N+1 HA or HA-SSO?
If N+1 then Leo's answer applies.
If SSO then your main option is ISSU but many of us have found ISSU to be not very reliable and often goes wrong, so before considering that you should test it thoroughly and definitely have TAC on standby for if/when it goes wrong.
As I've said on a few previous posts we've never considered it reliable enough to use in production (too many problems using it in lab testing) so we just take the hit for a few minutes for a full reload.

As I've recommended on a few recent posts - 17.9.3 already has some required SMU and APSP so if you deploy 17.9.3 then you still need to install those after the upgrade (more reloads required).  Whereas 17.9.4 has been out for just over 1 month now and likely to become TAC preferred version very soon so I would recommend using that now instead of 17.9.3 to avoid having to install those SMU and APSP, which will increase the total downtime for your change.


@Rich R wrote:
If SSO then your main option is ISSU but many of us have found ISSU to be not very reliable and often goes wrong, so before considering that you should test it thoroughly and definitely have TAC on standby for if/when it goes wrong.

Agree.  

@lcaruso, make sure TAC is on a WebEx into your controller before the ISSU upgrade starts.  IT is of utmost importance TAC is able to "witness" if-and-when ISSU fails for the following reasons: 

1.  If ISSU fails and a split-brain-ping-pong happens, TAC would know how to arrest this event and normalize the WLAN.  
2.  If TAC is not a witness of the ISSU failure, the issue will not be investigated.

Hi,

I have a pair of 9800-40 in SSO that I plan to upgrade from 17.9.4a to 17.12.3. I also have an extra pair of 9800-40 in SSO with no ap's connecting already running 17.12.3 with same config as the one in operation. Is there any reason why I should not be able to follow the Hitless Software Upgrade (N + 1 Upgrade) procedure?

 

 @rlunestad  I don't see any obstructions for  Hitless Software Upgrade (N + 1 Upgrade) ; but follow the
                    instructions according to : https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/215550-hitless-software-upgrade-on-catalyst-980.html

      I would also advise to have a checkup of the current standby pair with 17.12.3 (already) using the CLI command
      show tech wireless   (not 'show tech') and feed the output from that into Wireless Config Analyzer
                   That way you can examine that this controller is 'solid for use too'

  Actually the above is very useful for the current production controller to!!

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

As long as both pairs are in the same Mobility Group, Hitless Software Upgrade will work.  

marce1000
VIP
VIP

 

 - 'Deleted'

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

@marce1000 that's for AireOS!
For 9800:
https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/220277-configure-high-availability-sso-on-catal.html
https://www.cisco.com/c/dam/en/us/td/docs/wireless/controller/9800/17-6/deployment-guide/c9800-ha-sso-deployment-guide-rel-17-6.pdf
https://www.ciscolive.com/c/dam/r/ciscolive/global-event/docs/2023/pdf/BRKEWN-2846.pdf

lcaruso
Level 6
Level 6

Thank you kindly to all who responded! Excellent advice! 

Review Cisco Networking for a $25 gift card